hi all,

i'm trying to implement an API called RtlRunEncodeUnicodeString into my program, but i can't get it to work.

all info i can find about it is on this site (http://www.d--b.webpark.pl/reverse01_en.htm). i've implemented the opposite API once in another program (RtlRunDecodeUnicodeString) but the encode version is a lot harder to get to work....

can someone tell me how i can encode a string using a specific hashbyte with this function, and where the encoded string is returned?


Thanks in advance, and if you need more info, please let me know...

(ps, i'm using C instead of C++).

As you can see both are provided by ntdll.dll. So you can dynamitically load them by using LoadLibrary() and GetProcAddress:


typedef struct _STRING {
USHORT Length;
USHORT MaximumLength;
PCHAR Buffer;
} STRING, *PSTRING;

typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

DWORD RtlUpcaseUnicodeStringToOemString(
PSTRING OemStr,
PUNICODE_STRING UniStr,
DWORD Unknown // Always 1 ?
);

typedef void (__cdecl* Ptr_RtlRunEncodeUnicodeString) ( PBYTE, PUNICODE_STRING );

HMODULE hLib = NULL;
Ptr_RtlRunEncodeUnicodeString ptrEncode = NULL;

hLib = LoadLibrary("ntdll.dll");
if ( hLib == NULL )
{ // Handle error somewhat
}
ptrEncode = (Ptr_RtlRunEncodeUnicodeString)GetProcAddress(hLib, "RtlRunEncodeUnicodeString");
// Call function here
FreeLibrary(hLib);


So you don't have to implement it on your own.

i see i have misused the word implement (english is not my native language), i know how to call the function, but i am having problems using the parameters.

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

#define BUFSIZE 400

int main(void)
{
HMODULE hLoad;
FARPROC fProc;
BYTE HashByte=0x0A;
UNICODE_STRING Ucode;
char StringToEncode="Hello World!";
char buffer[BUFSIZE];

hLoad=LoadLibrary("ntdll.dll");

if(hLoad==NULL)
{
printf("Error: loading library");
return EXIT_FAILURE;
}
fProc=GetProcAddress(hLoad,"RtlRunEncodeUnicodeString");
if(fProc==NULL)
{
printf("Error: getting procedure address");
FreeLibrary(hLoad);
return EXIT_FAILURE;
}
Ucode.Length=strlen(StringToEncode);
Ucode.MaximumLength=BUFSIZE;
Ucode.Buffer=buffer;

(fProc) ((PVOID)HashByte, &Ucode);

/* this is how i would call the function, but where do i put the StringToEncode string, and where do i get the encoded string?*/

FreeLibrary(hLoad);
printf("All worked Fine");
return EXIT_SUCCESS;
}

this is how i would call the function, can you tell me what i do wrong?

thanks for your reply ;)

As far as I can see from the site you posted the returned string is directly written to the Buffer member of the following structure you pass to the function:


typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;


So the changes are made directly to the buffer you pass. I think you did it correctly within one mistake: It's not


char StringToEncode="Hello World!";
char buffer[BUFSIZE];


But


TCHAR StringToEncode = _T("Hello World!");
TCHAR buffer[BUFSIZE] = _T("");


And you need to enable unicode strings. I think it's done by defining the _UNICODE macro before you include the windows header.

With a little puzzling i got the program to compile ;-)

i couldn't use TCHAR StringToEnCode=_T("HelloWorld!"); since my compiler (dev-cpp) doesn't recognize _T.

but the following code compiles and looks like it works too ;)

i now just need to know for sure that this code is correct, and more important, if the output is correct!


#define _UNICODE
#define BUFSIZE 400

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <Ntsecapi.h>
#include <strings.h>

int main(void)
{
HMODULE hLoad;
FARPROC fProc;
TCHAR buffer[BUFSIZE];
UNICODE_STRING Ucode;
BYTE HashByte;

hLoad=LoadLibrary("ntdll.dll");

if(hLoad==NULL)
{
printf("Error: loading library");
return EXIT_FAILURE;
}
fProc=GetProcAddress(hLoad,"RtlRunEncodeUnicodeString");
if(fProc==NULL)
{
printf("Error: getting procedure address");
FreeLibrary(hLoad);
return EXIT_FAILURE;
}
HashByte=0x00;
while(HashByte<255)
{
strcpy(buffer,"HelloWorld!");
Ucode.Length=strlen("HelloWorld!");
Ucode.MaximumLength=BUFSIZE;
Ucode.Buffer=(PVOID)buffer;
(fProc) (&HashByte,&Ucode);
printf("%s\n",buffer);
HashByte++;
}
FreeLibrary(hLoad);


return EXIT_SUCCESS;
}

can you tell me if it is?

thanks in advance,

regards,

You need the header tchar.h to use _T().


#include <tchar.h>


As far as I know, also MinGW supports this header file.

if i include tchar.h i get a bunch of errors, but if i just include it without doing anything else it compiles, but with a lot of warnings...

if i use TCHAR bufffer[BUFSIZE]=_T(""); the first error i get then is:
[WARING] "_TEXT" redefined.

so appearantly that doesn't work like this, maybe it is dev-cpp, maybe it is because i have included some other header files as well, i do not know, but honestly all i need is the output from the program once, since i need to search the memory for these strings.

can you tell me if the output from my program is correct? if so, then that is all i need to know for now, and i will continue trying to use _T , TCHAR and <tchar.h> soon (but not now ;)).

thanks for all your help :D

[WARNING] "_TEXT" redefined :DOne of the other headers is defining the macro (maybe string.h). Try putting the #include <tchar.h> immediately after the #include <windows.h> statement.

If this still doesn't work, and you only compile unicode, just use L"string", WCHAR and forget the tchar macros.

Arjay

thanks,

i already suspected some other headerfile was defining it.

i will try your suggestion asap, and i will let you know if it worked ;)